A Flashy Facebook Page, at a Cost to Privacy
Add-Ons to Online Social Profiles Expose Personal Data to Strangers

By Kim Hart
Washington Post Staff Writer
Thursday, June 12, 2008

Facebook fanatics who have covered their profiles on the popular social networking site with silly games and quirky trivia quizzes may be unknowingly giving a host of strangers an intimate peek at their lives.

Those mini-programs, called widgets or applications, allow users to personalize their pages and connect with friends and acquaintances. But they could pose privacy risks. Some security researchers warn that developers of the software have assembled too much information -- home town, schools attended, employment history -- and can use the data in ways that could harm or annoy users.

"Everything requires you to give access to personal information or it forces you to ask your friends to do the same -- it becomes a real nuisance," said David Dixon, 40, an information technology consultant in Columbia who recently deleted most of the applications he had downloaded to his Facebook profile after reading on a blog that developers may have access to his information. "Why does a Sudoku puzzle have to know I have two kids? Why does a postcard need to know where I went to college?"

Even private profiles, in which personal details are available only to specific friends, reveal personal information, said Chris Soghoian, a cyber-security researcher at Indiana University. And they're allowing access to their friends' information -- even if their friends are not using the application. That's because MySpace and Facebook, the largest online social networks, let outside developers see a member's information when they add a program.

"You want to be social with your friends, but now you're giving 20 guys you've never met vast amounts of information from your profile," he said. "That should be troubling to people."

A year ago, Facebook started allowing outside developers to create small software programs for members to download. Since then, the company said, about 24,000 applications have been built by 400,000 developers. They've become enormously popular, with users playing poker, getting daily horoscopes and sending one another virtual cocktails, to name a few. More than 95 percent of Facebook users have installed at least one application, the company said.

Applications have grown so much that venture-capital firms have formed exclusively to fund their development, and there is a Stanford University course devoted to creating them.

In February, MySpace also opened up to developers. It has more than 1,000 applications. The company, along with other social networks such as Hi5 and AOL's Bebo, allows applications under OpenSocial, a Google-led initiative that lets developers distribute games and other programs across multiple social networks.

Each site has come up with its own policies on the data that developers are allowed to see. MySpace, the largest social network, with 110 million members, said developers can see users' public details -- name, profile picture and friend lists -- when they download a program. When a user installs one on Facebook, which has 70 million members, the developer can see everything in a profile except contact information, as well as friends' profiles. Members can limit what is seen by changing privacy controls, and both companies say developers are allowed to keep those data for only 24 hours.

Developers can collect other data from members once they've download the applications.

Ben Ling, director of Facebook's platform, said that developers are not allowed to share data with advertisers but that they can use it to tailor features to users. Facebook now removes applications that abuse user data by, for example, forcing members to invite all of their friends before they can use it.

"When we find out people have violated that policy, there is swift enforcement," he said.

But it is often difficult to tell when developers are breaking the rules by, for example, storing members' data for more than 24 hours, said Adrienne Felt, who recently studied Facebook security at the University of Virginia.

She examined 150 of the most popular Facebook applications to find out how much data could be gathered. Her research, which was presented at a privacy conference last month, found that about 90 percent of the applications have unnecessary access to private data.

"Once the information is on a third-party server, Facebook can't do anything about it," she said. Developers can use it to provide targeted ads based on a member's gender, age or relationship status.

Consumer advocates have voiced concerns over how software developers are using such data. The Center for Digital Democracy is urging the Federal Trade Commission to look into the privacy policies surrounding third-party applications.

Some developers acknowledge the value of the data at their fingertips but say they're careful not to abuse it.

"We don't care who their favorite musicians are, and we're not looking at their pictures," said Dan Goodman, co-founder of Loladex, an application that lets users find friend-recommended businesses, such as plumbers and pizzerias. Loladex does keep track of user-provided data, such as Zip codes.

Goodman said he hasn't ruled out using the data for targeted advertising, but "we're not trying to push the privacy envelope."

Hungry Machine, based in Georgetown, has created 25 Facebook applications, including programs that let users recommend movies, books and music.

"Leveraging that data would make a lot of sense," said Tim O'Shaughnessy, a co-founder of the company. But he said no plans are in the works.

Slide, which designed three of the most popular Facebook applications -- SuperPoke, FunWall and Top Friends -- said it uses personal details only to make applications more relevant to users. For example, Slide collects friends' birthdays so it can remind you to "poke" them on the right day.

Many Facebook users don't mind using the tools to express themselves. Gabby Jordan of Baltimore uses the Flirtable and Pimp Wars programs to connect with friends.

"If there are too many, you could easily delete them off your profile and not have to worry about it," she wrote in an e-mail.

But revealing information on quizzes or maps of places visited, for instance, may also make it easier for strangers to piece together tidbits to create larger security threats, said Alessandro Acquisti, assistant professor of public policy and information systems at Carnegie Mellon University.

Some online activities ask users to list pets' names or to display their high school's mascot, answers to common security questions asked by financial companies.

"Nowadays, some people have downloaded so many [applications], it's a constant flow of information about what they've done, what they're doing, which can be mined by your friends and also by someone you don't know anything about," he said.